Re: [RFC] programmatic IDS routing
On Wednesday 19 March 2008 14:18:12 Valdis.Kletnieks(a)vt.edu wrote:
However, *no* amount of special tagging will allow the IDS to
disambiguate
these two cases:
1) An audit rule was set, but no events generated because no activity
matched.
In which case you have nothing to worry about. :)
2) An audit rule wasn't set at all.
Again nothing to worry about since they haven't set the system up yet.
"unless you have a matching audit rule you will not get any
records" means
exactly that - so tagging the records you don't receive isn't useful.
But if you don't receive any records, nothing happened. :)
There *is* the more general case of "I had a generic rule and a
special
watch and *both* fired" - but that problem is in no way IDS specific,
Right, this *is* something to worry about. I was thinking that we could solve
this by having an option that tells the kernel to evaluate all rules and not
just first match.
I have also been wondering about detecting shadowed rules and warning when
auditctl finishes a file.
-Steve